Section 326: Customer Identity Verification Rules
Understand the regulatory framework of Section 326, detailing the specific obligations for financial institutions when establishing a customer's identity.
Following the September 11th terrorist attacks, the United States government enacted legislation against terrorism financing and international money laundering, known as the USA PATRIOT Act. A provision within this law, Section 326, mandates that financial institutions must confirm the identity of individuals and entities seeking to open accounts. This requirement resulted in the creation of Customer Identification Programs, or CIPs.
These programs are a component of a financial institution’s anti-money laundering (AML) compliance efforts and must include procedures for checking customers against lists of known or suspected terrorists. The purpose is to enable a financial institution to form a reasonable belief that it knows the true identity of its customers, helping prevent illicit funds from entering the financial system.
Required Customer Information
A financial institution’s Customer Identification Program must outline procedures for collecting specific identifying information from every customer at the time of account opening. This applies to all account types, including deposits, loans, and trust services. The rules specify the minimum information that must be gathered before verification can occur.
For Individuals
When an individual opens a new account, the bank is required to obtain four pieces of information.
- The person’s full legal name.
- A complete date of birth.
- A physical street address, as a Post Office box or other mail drop address is generally insufficient.
- An identification number, such as a Social Security Number (SSN) for a U.S. person, or a taxpayer identification number or passport number for a non-U.S. person.
For Legal Entities
The requirements for legal entities, such as corporations and partnerships, are adapted for non-individual customers. The financial institution must collect the full legal name of the entity, the physical street address of its principal place of business, and an identification number, such as a Taxpayer Identification Number (TIN).
In addition to identifying the entity, institutions must also identify and verify the identity of its beneficial owners. This includes any individual who owns 25% or more of the legal entity and at least one individual who exercises significant managerial control over it.
The Verification Process
The Customer Identification Program must detail how the institution will form a reasonable belief that it knows the true identity of the customer. The rules provide flexibility, allowing banks to use different methods, so long as they are risk-based and effective.
The institution can use either documentary or non-documentary methods, or a combination of both. The choice of method often depends on the type of customer, the way the account is being opened, and the institution’s assessment of the risk involved. For example, an account opened online without any face-to-face contact may require more robust verification than an account opened in person.
A primary method for verification involves reviewing official documents. For an individual, this means examining an unexpired, government-issued identification document that contains a photograph, such as a driver’s license or a passport. For a legal entity, the bank may review documents like certified articles of incorporation, a government-issued business license, a partnership agreement, or a trust instrument.
Institutions may also use non-documentary methods to confirm a customer’s identity. This approach involves comparing the information provided by the customer against data from trusted third-party sources. Common examples include cross-referencing information with a credit reporting agency, checking public databases, or using a commercial fraud prevention service. This method is particularly useful when a customer is unable to present standard documents or when the institution needs to corroborate the documents provided.
While these verification procedures are performed when an account is opened, a financial institution’s responsibility does not end there. Regulations also require the ongoing monitoring of customer relationships. This allows institutions to detect and report suspicious transactions and, when necessary, to update and maintain current customer information, particularly for relationships that may present a higher risk.
Recordkeeping and Customer Notice
Financial institutions have ongoing obligations regarding the retention of these records and providing clear communication to customers about these procedures. The rules mandate that a financial institution maintain records of all information obtained to identify a customer. This includes the identifying data itself—name, address, date of birth, and identification number—as well as a description of the document used for verification, the verification methods employed, and the resolution of any discrepancies. These records must be kept for five years after the date the account is closed.
Financial institutions are also required to give customers “adequate notice” that they are requesting information to verify their identities. This notice must be provided in a way that a customer is able to view or receive it before the account is opened. Typically, this is accomplished by posting a notice in the lobby, including it on account opening applications or websites, or through a conspicuous statement provided to the customer.